Lets say you need to access your Ubuntu Linux PC at your home from the other PC behind very restrictive firewall. Lets also say that all you have access to is port 80 (http) and port 443 (https). Lets unlock this situation. Ill show you how to setup Shell In A Box with additional layer of security with Apache2 SSL. Prerequisite for the following guide is that you have fully working Apache 2 installation on you Ubuntu system. If you need instructions for this, you can find them on one of my older posts:
In this post I'll mostly give you CLI commands without to much explanation so it is up to you to go trough the procedure and adjust it according to your own setup. Reason for this approach is that the procedure is a bit longer and there could be 10 pages explanation for all of this. Of course I'll give basic explanation for most important commands. So lets get down to business...
Basic HTTPS Shell In A Box
First we download and install Shell In A Box. You can download .deb file for your operating systems architecture here by visition Shell In A Box official page here.
Next thing is to install Shell In A Box:
sudo dpkg -i shellinabox*.deb
Now we need to add a few options to Shell In A Box .conf file:
sudo gedit /etc/default/shellinabox
You need to replace line:
SHELLINABOX_ARGS="--no-beep --localhost-only --disable-ssl"
Lets enable necessary Apache2 modules:
sudo a2enmod proxy sudo a2enmod proxy_http sudo a2enmod ssl
Now we need to copy default Apache 2 SSL virtual host and modify it for our purpose:
sudo cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/default-ssl-shellinabox sudo gedit /etc/apache2/sites-available/default-ssl-shellinabox
We need to add following inside
<VirtualHost> </VirtualHost> tags:
<Location /shell> ProxyPass http://localhost:4200/ Order allow,deny Allow from all </Location>
Now we enable our new site and restart Shell In A Box and Apache2 services:
sudo a2ensite default-ssl-shellinabox sudo service shellinabox restart sudo service apache2 restart
Custom self signed SSL certificate
You can already access your Ubuntu Linux PC shell on the location https://localhost/shell. If you also need additional layer of security using HTTP authentication besides you accounts user name and password, read on. Ubuntu comes with "default" SSL certificate so your https page is working, but the safe bet will be to create custom self signed SSL certificate. This process will require password (make up something complex) you'll need to remember or write down. When process asks you for things like country, name etc. feel free do leave it blank, I do. If you set "Common Name" field to say www.TechyTalk.info, certificate could only be used on www.TechyTalk.info so the best way is to leave everything blank for our "hobby" purpose.
openssl genrsa -des3 -out server.key 4096 openssl req -new -key server.key -out server.csr openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt openssl rsa -in server.key -out server.key.insecure mv server.key server.key.secure mv server.key.insecure server.key sudo mkdir /etc/apache2/ssl sudo cp server.crt /etc/apache2/ssl sudo cp server.key /etc/apache2/ssl/
Now we will adjust our Apache2 virtual host and point it to the SSL certificate we have just created:
sudo gedit /etc/apache2/sites-enabled/default-ssl-shellinabox
Adjust "SSLCertificateFile" and "SSLCertificateKeyFile" lines to the following:
SSLCertificateFile /etc/apache2/ssl/server.crt SSLCertificateKeyFile /etc/apache2/ssl/server.key
If you don't plan to do HTTP authentication you should restart Apache2, else you can proceed.
sudo service apache2 restart
So now our site is using our custom SSL certificate. Next thing is to set HTTP authentication. Intention is to use additional password besides your accounts password to access your PC (you can never be to safe). Here are the commands to make this happen with your additional user name (make sure to replace ##USERNAME## with your username):
sudo htpasswd -c /etc/apache2/.htpasswd ##USERNAME##
Please remember the password you gave to htpasswd because this password will be used for HTTP authentication.
Now we need to modify Apache2 mod proxy .conf file to allow authenticating with ##USERNAME##. Make sure to replace ##USERNAME## with your username.
sudo gedit /etc/apache2/mods-available/proxy.conf
We need to modify it like this:
ProxyRequests Off <Proxy *> AddDefaultCharset off AuthUserFile /etc/apache2/.htpasswd AuthName EnterPassword AuthType Basic require user ##USERNAME## Order allow,deny Allow from all </Proxy>
Now we restart Apache2:
sudo service apache2 restart
Thats it. Now you go to https://localhost/shell, enter HTTP user name and password, then Ubuntu Linux user name and password and do whatever you want to do on your PC remotely. In addition to this if you connect using ADSL or wireless broadband it is useful to setup something like DynDns so you could access your PC using user friendly doman name.
This post is a bit longer so there's a lot of room for mistakes on my part and yours. So please if something doesn't work comment here sou I could correct any eventual mistakes. Cheers!